The Internet Storm Center has begun the month with a series of security tips, in what may inevitably be called August - Security Tip Month - an article regarding the use of strong passwords.
It is generally considered good practise to use ever more complex passwords or passphrases in authentication systems, and to rotate the passwords every month, or week, and have them of a certain length and complexity; however this introduces a number of problems.
Complex passwords are more likely to be written down on post-it notes and either left lying around on the desk or stuck to the monitor of the device the password is meant to protect. This is simply human nature - people will generally struggle attempting to memorise truly random passwords, and when faced with having to remember six in rotation will simply resort to writing them down.
This is not necessarily a bad thing, and we would actually recommend doing so, but treat it much like you would your credit card and keep the password it in the one thing you always keep with you - your wallet or purse.
The use of passwords is quite ‘old hat’ now anyway, and use should be deprecated within the next few years. The article does hint at this aswell, and the author would like tips on how not to use passwords.
For such an endeavour, we suggest the use of two, or three factor authentication.
Two Factor Authentication involves keeping a hardware device, for example a usb token, which contains a cryptographic keypair of such complexity that the human brain could not remember it, and of such size that it would take a computer eons to crack it.
Since this is a hardware device which can be carried, and thus lost, the keypair is protected using a passphrase.
You thus authenticate yourself to the keypair (or token), and the token authenticates you against the device.
Even better authentication systems would involve three-factor authentication systems. These rely on the following concepts:
- Something you are - a fingerprint, iris pattern or dna sequence
- Something you have - a token, key or card
- Something you know - a passphrase, keycode or your mothers maiden name*
The article links off to a common analogy for password usage in universities, that ‘passwords are like underwear‘. If you are going to take this literally, we do suggest you start rotating your password daily…
* We don’t actually suggest using your mothers maiden name, or cat’s name for authentication. Anything which is public knowledge is easily guessable to an attacker.